On Tuesday, February 24, 2015, Pell Center Executive Director Jim Ludes offered testimony on Rhode Island Senate Bill 134–a legislative proposal that drew from work done at the Pell Center to improve RI data breach notification. His testimony, as prepared, follows below:
* * *
Testimony of James M. Ludes, Ph.D.
Executive Director, Pell Center for International Relations and Public Policy at Salve Regina University
Before the RI State Senate Judiciary Committee
February 23, 2015
Mr. Chairman, members of the committee, thank you for the opportunity to appear before you today to offer some brief remarks on Senate Bill 134 offered by Senator Lou DiPalma. I have submitted my full testimony in writing and respectfully request that it be included in the record.
Mr. Chairman, I am the Executive Director of the Pell Center for International Relations and Public Policy—a think tank on the campus of Salve Regina University in Newport. Named for a giant in Rhode Island’s political history, the late Senator Claiborne Pell, the Pell Center exists to help our community think through complex issues and make good policy decisions.
For several years, one of the Pell Center’s principal focus areas has been cybersecurity. We’ve published several studies by Ms. Francesca Spidalieri, who is our Senior Fellow for Cybersecurity Leadership, on emerging trends in cybersecurity, especially the preparation of leaders for an era of persistent cyber threat.
As an outgrowth of that research, we have organized the Rhode Island Corporate Cybersecurity Initiative (RICCI)—an effort to bring together Rhode Island’s corporate leaders to share information about the most critical cybersecurity challenges facing the private sector. RICCI meets monthly at the Pell Center in Newport for briefings and occasional exercises designed to encourage Rhode Island’s senior executives to take ownership of their organization’s cybersecurity and help them develop approaches to make their companies more secure and resilient to cyber incidents.
Last September, we hosted a roundtable discussion on Rhode Island’s current data security breach notification law—its gaps, how it compares to similar laws in other states, and how the RI law might be improved.
Senator DiPalma and Representative Stephen Ucci attended that session of RICCI, and drew from it important insights that shaped the legislation you are considering today.
Mr. Chairman, we need only to read the newspaper occasionally to know that we are in an era of massive data breaches. The list of affected companies is long, but the list of affected Americans is even longer. In 2013, the information security firm Symantec reported that 552 million personal records were breached by hackers. The November 2013 breach of Target Corp. alone exposed 110 million customers to possible fraud or identity theft.
In a summary of the September RICCI meeting prepared by Ms. Spidalieri, she wrote:
Target’s response and notification drew heavy criticism based on the method of notification as well as its timeliness. Like many other retailers, major banks, and countless other companies, Target chose to keep evidence of its data breach private until cybersecurity expert Brian Krebs brought the issue to light on his blog “Krebs on Security.” Unfortunately, the reticence to disclose data breaches is widespread and deeply rooted within corporate America. Days, weeks or even longer periods can pass between the moment a company learns of a cyber-crime and when its customers do. That gap can amount to crucial lost time for people and other organizations that would need to take immediate measures to protect themselves by monitoring transactions, changing passwords, or alerting other relevant parties such as a credit card company.
A wave of state laws passed over the last dozen years requiring companies to notify customers in a timely manner about data breaches that affect them. Forty-seven states and the District of Columbia have laws governing such disclosures (as of August 1, 2014, only Alabama, New Mexico, and South Dakota had no laws related to security breach notification). Rhode Island has had its breach notification law on the books since 2005. RI’s current “Notification of breach law,” however, is both outdated and lacks clear information/direction for a business to follow in the event of a data breach. The participants in the Pell Center workshop noted that this law requires disclosure “in the most expedient time possible and without unreasonable delay,” but does not prescribe an actual timeframe and allows for delays to accommodate “the legitimate needs of law enforcement” during an ongoing investigation. Moreover, it requires the notification of a breach “if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person,” but does not provide additional measures to prevent future breaches or to effectively mitigate the risks associated with data breaches. Finally, there is no mention of the role that state agencies or law enforcement should play in the case of a data breach or of whom within those departments should be notified.
As I mentioned, Senator DiPalma and Representative Ucci participated in our September RICCI workshop. Their proposed legislation, we believe, reflects well the consensus of the participants in that session. In particular:
- The proposed legislation would extend the definition of “personal information” to medical information, health insurance information, and email addresses when acquired with passwords.
- It would define clearly the course of action a business must take in the event of a data security breach and the specific timing of notification to those individuals potentially affected by the breach (no later than 15 days after the discovery).
- It would also define the roles that the Attorney General, law enforcement, and major credit reporting agencies play in case of a data breach and the notification requirements of these agencies.
- It would include data security requirements for third-parties.
- Finally, the proposed legislation would require all entities in Rhode Island not to retain personal information for a period longer than necessary for the specific services provided, and to destroy all records (including paper records) when personal records are discarded.
As you know, President Obama has rightly identified cybersecurity as an urgent national security challenge, and he has talked about a federal data breach notification law that would address many of these issues, too. But just because the president is talking about it does not mean Congress will do anything about it. The burden then falls to the individual states to address this issue where they can while we wait for Congress to act. The reality is that, if passed, this legislation could serve as a model for the country to follow, both in other state houses and at the federal level.